OpenVPN disconnect after exact 1 hour

Since I updated the pritunl server to the latest version, my clients disconnect after exact 1 hour.

In the logs, I get the following:
[VPN-Edgeserver01][2024-10-23 09:18:00,269][ERROR] User failed auth update check
server_id = “5b339226572cc102f1a4a472”
instance_id = “6718923e230aa9cb1e9aa919”
user_id = “60c30c4cc2495c32659a176b”
Traceback (most recent call last):
File “/usr/lib/pritunl/usr/lib/python3.9/threading.py”, line 937, in _bootstrap
self._bootstrap_inner()
File “/usr/lib/pritunl/usr/lib/python3.9/threading.py”, line 980, in _bootstrap_inner
self.run()
File “/usr/lib/pritunl/usr/lib/python3.9/threading.py”, line 917, in run
self._target(*self._args, **self._kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/clients/clients.py”, line 2507, in _auth_check_thread
logger.error(‘User failed auth update check’,
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/logger/init.py”, line 55, in error
kwargs[‘traceback’] = traceback.format_stack()

There’s another server (privacyIDEA) responsible for the RADIUS (OTP Token) authentication.

Here I get:
‘wrong otp value. previous otp used again’

I think, that’s because the option “Enable Client Reconnect” is selected.

Environment:
Pritunl server version v1.32.4057.36 2a185a
OpenVPN client version 3.5.1.3946

Any ideas on how to fix this issue?

Regards
Andy

The auth update checks the users single sign-on status every hour to disconnect users who are disabled or removed from single sign-on. If the Radius server expects a OTP this feature will need to be disabled by running sudo pritunl set app.sso_connection_check false

Great! Thanks for the info.
I give it a shot and see how it goes!

Thanks again zach!
This did the trick. I wonder, if this feature was different in previous versions of pritunl :thinking:
Because the message ‘wrong otp value. previous otp used again’ was also seen on the RADIUS server with the old version without the user been disconnected.
Anyway, it is what it is.

Have a great weekend ahead!
Andy

This was a recently added feature. Previously there was a sync to obtain an updated list of user groups to perform a recheck of the users access based on groups. This is only effective for group based configurations, organizations cannot change without removing the user. This would not disconnect users on a failed sync. There are also older releases that have no sync during connection. Current releases sync both the user status and user groups.

Thanks für the Update :+1: